North Korea disguising Android malware as legitimate apps

North Korea disguising Android malware as legitimate apps

Electronic warfare / nation-state attacks
And the
endpoint security
And the
Fraud and cybercrime management

Apps masquerading as Google Docs Viewer and Security Plugin

South Korean and American soldiers stand guard in South Korea’s demilitarized zone facing North Korea. (picture: Ministry of Defense)

North Korean hackers may target Android users south of the demilitarized zone with malware including one variant disguised as a Google security plugin.

See also: on demand | API Protection – Your API Protection Strategy

Seoul-based S2W Cyber ​​Security Company Says It spotted three Android malware apps, called FastFire, FastSpy and FastViewer, by studying a server domain used by North Korean hackers in the past.

FastFire masqurades as a security plugin from Google, and until last week’s S2W blog post, it had not yet been flagged as malicious in the VirusTotal malware test. FastViewer masquerades as Hancom Office Viewer and FastSpy is a remote access tool based on AndroSpy.

Malware comes from a state-sponsored kit Kimsuke, also known as Thallium, Black Banshee, and Velvet Chollima. Kimsuke has been active since 2012 and was commissioned by Pyongyang to gather intelligence on foreign policy and national security issues related to the Korean Peninsula. US government warned In 2020, Kimsuky was also active in the United States and Japan.

The group acquires accounts through spear attacks. It also sends phishing messages allegedly from Naver and Daum, two popular portals for news services in South Korea.

S2W says FastFire appears to be in development. Unlike typical command and control applications that send messages via HTTP, it communicates with infected devices through Firebase, an application development platform powered by Google. The cybersecurity firm estimates that FastFire is still in development because the process of downloading additional malicious code was not executed correctly.

Specifically, FastFire implements what Android developers know as “deep link– A URL that opens a specific page in the app. S2W says it’s a deep link calling function that hasn’t been mastered yet.

Once installed, FastFire hides its launcher icon so that the victim does not know it is installed.

FastViewer is a mobile remote access trojan masquerading as a popular application used to view documents with file extensions from Microsoft or Hancom word processors. The South Korean brand Hangul word processor developed by Hancom is still relatively prevalent in South Korea due to its early support for the Korean alphabet.

FastViewer normally acts as a document viewer, but when it reads a file created by an attacker, it transmits device information to a command and control server. Then it downloads FastSpy, a remote access tool based on AndroSpy, which open source code.

FastSpy researchers “might abuse” Android’s built-in accessibility functions by automatically clicking on a popup asking for user permission for additional permissions. S2W says it didn’t see this functionality in the version it analyzed.

The application is able to take control of the infected smartphones. S2W advises users to be careful about phishing pages and “not to download viewer software and document files from third parties and anyone.”


#North #Korea #disguising #Android #malware #legitimate #apps

Leave a Comment

Your email address will not be published. Required fields are marked *